{"id":30570,"date":"2024-03-03T13:54:38","date_gmt":"2024-03-03T21:54:38","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=30570"},"modified":"2024-03-03T13:54:38","modified_gmt":"2024-03-03T21:54:38","slug":"sb-2024-03-03","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2024\/03\/sb-2024-03-03\/","title":{"rendered":"Security Bits \u2014 3 March 2024"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>Another defeat for the NSO group: \ud83c\uddfa\ud83c\uddf8 <a href=\"https:\/\/thehackernews.com\/2024\/03\/us-court-orders-nso-group-to-hand-over.html\">U.S. Court Orders NSO Group to Hand Over Pegasus Spyware Code to WhatsApp \u2014 thehackernews.com\/\u2026<\/a><\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 Microsoft have finally followed through on their promise to the US government that government Office365 tenancies will get double the retention time on audit logs for free (90 days \u2192 180 days) \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/microsoft-finally-expands-free-logging-but-only-for-govt-agencies\/\">www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 The Federal Trade Commission are continuing to crack down on scammy tax apps in the run-up to tax season: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/technology\/ftc-sues-handr-block-over-deceptive-free-online-filing-ads\/\">FTC sues H&amp;R Block over deceptive &#8216;free&#8217; online filing ads \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>There was some dramatic action in the fight against Ransomware in the last two weeks, with authorities around the world cooperating in <em>Operation Cronos<\/em> to try the down <em>LockBit<\/em>, the biggest ransomware gang of 2023 by far:\n<ul>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/police-arrest-lockbit-ransomware-members-release-decryptor-in-global-crackdown\/\">Police arrest LockBit ransomware members, release decryptor in global crackdown \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/us-offers-15-million-bounty-for-info-on-lockbit-ransomware-gang\/\">US offers $15 million bounty for info on LockBit ransomware gang \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/lockbit-ransomware-secretly-building-next-gen-encryptor-before-takedown\/\">LockBit ransomware secretly building next-gen encryptor before takedown \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/lockbit-ransomware-gang-has-over-110-million-in-unspent-bitcoin\/\">LockBit ransomware gang has over $110 million in unspent bitcoin \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/lockbit-ransomware-returns-to-attacks-with-new-encryptors-servers\/\">LockBit ransomware returns to attacks with new encryptors, servers \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>\ud83c\uddea\ud83c\uddfa as the DMA&#8217;s go-live dates approach, there are more developments around Apple&#8217;s compliance plans:\n<ul>\n<li>There was a brief kerfuffle around the rarely used Progressive Web Apps feature in the EU \u2014 TL;DR: Apple said they couldn&#8217;t make it both secure and cross-browser so they removed it, some developers and some EU politicians got cranky, Apple said they would not remove it after all, but would keep it webkit-only instead \u2014 <a href=\"https:\/\/arstechnica.com\/gadgets\/2024\/03\/apple-changes-course-will-keep-iphone-eu-web-apps-how-they-are-in-ios-17-4\/\">arstechnica.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/24\/03\/01\/spotify-epic-complain-again-that-apple-wont-be-in-compliance-with-the-dma\">Spotify, Epic complain again that Apple won&#8217;t be in compliance with the DMA \u2014 appleinsider.com\/\u2026<\/a> (in an open letter)<\/li>\n<li>Apple released a white paper detailing how their plans protect Apple users in the EU as much as they can, explaining why EU users will none-the-less be less secure than other users, and in the process, giving the most detailed information I&#8217;ve yet seen about exactly what Apple do as part of App Review (32 pages, but well worth a skim at least) \u2014 <a href=\"https:\/\/appleinsider.com\/articles\/24\/03\/01\/apple-stresses-security-risks-of-complying-with-eus-digital-markets-act\">appleinsider.com\/\u2026<\/a><\/li>\n<li>The White Paper: <a href=\"https:\/\/developer.apple.com\/security\/complying-with-the-dma.pdf\">Complying with the Digital Markets Act \u2014 developer.apple.com\/\u2026<\/a> (PDF)<\/li>\n<li>The white paper includes quite a few emails to Tim Cook from concerned Europeans \u2014 <a href=\"https:\/\/appleinsider.com\/articles\/24\/03\/01\/apple-cites-bevy-of-scared-users-to-back-up-its-case-against-the-eu-dma\">appleinsider.com\/\u2026<\/a><\/p>\n<\/li>\n<li>\n<p>This is really happening: <a href=\"https:\/\/appleinsider.com\/articles\/24\/02\/29\/setapp-announces-beta-of-ios-app-store-for-the-eu\">Setapp announces beta of iOS app store for the EU \u2014 appleinsider.com\/\u2026<\/a><\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Deep Dive \u2014 Apple&#8217;s Post-Quantum iMessage Encryption<\/h2>\n<p>Apple have had end-to-end encryption by default for a long time now, and it\u2019s based on the best in class public-key cryptography certified for use today by standards bodies like the US National Institute for Standards and Technology (NIST). Today, that cryptography is extremely robust, but, it\u2019s based on math we know would become crackable should anyone invent a practical quantum computer. That\u2019s very unlikely in the next 5 years, but quite plausible in the five or ten after that, so the cybersecurity world is busy preparing for that likely future now.<\/p>\n<p>It takes a long time to develop robust new cryptographic algorithms, so this work has already been underway for years. We now have a selection of candidate quantum-resistant algorithms in the final stages of review by NIST, so tech companies are starting to roll out their initial implementations.<\/p>\n<p>If you\u2019re wondering why roll out changes now to address a problem that\u2019s probably a decade out, it\u2019s because of the so-called <em>\u2019Harvest Now, Decrypt Later\u2019<\/em> attack. Large well resourced organisations like governments can hoover up encrypted messages from important or interesting people now, save them in big data farms, and then crack them in five or ten years.<\/p>\n<p>Apple is by no means the first to move on this, but they do seem to have leap-frogged the rest of the pack with their announcement of changes that are coming into effect pretty much immediately!<\/p>\n<p>Apple have named their solution PQ3 which they refer to as \u2018level 3\u2019 post-quantum encryption. This is not a level on some kind of standard or generally accepted scale, but a term of Apple\u2019s own invention. It\u2019s their way of saying \u201cWe are first to offer this comprehensive solution\u201d.<\/p>\n<p>Level 0 is no encryption at all, at least not by default, and you might expect that category to be empty in 2024, but alas not, that\u2019s where you find Skype, QQ, Telegram &amp; WeChat. Level 1 is end-to-end encryption that\u2019s not quantum-safe, so where Messages is before PQ3 rolls out in a few weeks. Other apps Apple class as level 1 include Line, Viber &amp; WhatsApp. Level 2 apps use new quantum-safe crypto algorithms, but don\u2019t add the extra layer Apple have in PQ3, Apple put Signal at level 2.<\/p>\n<p>So, what does Apple do beyond where the open source world has gotten to? They have added periodic key rotation, so even if a key were to be leaked or stolen (more likely than one being cracked), the damage would be limited to just a few messages, while the leak of a Signal private key would expose the entire conversation that key secured.<\/p>\n<p>Apple\u2019s blog post announcing PQ3 goes into an impressive amount of detail and answers all the obvious questions like which of the NIST candidate algorithms it uses (Kyber with ML-KEM). The opening few sections in particular are well worth a read, and the more detailed later sections are well worth a skim. One thing that caught my eye was Apple\u2019s clever solution to the obvious problem that these new algorithms have not yet been subjected to decades of concerted theoretical and practical attacks like our current algorithms have been (for the obvious reason that they\u2019re new!). Apple are chaining the new algorithms with the current ones, so an attacker needs to break <strong>both the current and the new algorithms<\/strong> to break into messages. The blog post also describes the mathematical proofs of their algorithm conducted by leading academics in world-class universities and research institutes.<\/p>\n<p>It was also nice to see Apple repeatedly give due credit to competitors for their innovations, including in the opening line of the conclusion:<\/p>\n<blockquote><p>\n  \u201cEnd-to-end encrypted messaging has seen a tremendous amount of innovation in recent years, including significant advances in post-quantum cryptography from Signal\u2019s PQXDH protocol and in key transparency from WhatsApp\u2019s Auditable Key Directory\u201d\n<\/p><\/blockquote>\n<p>From a practical POV, Apple are following Signal\u2019s lead and phasing in PQ3 support in parallel with continued support for the current algorithms \u2014 until PQ3 is fully bedded in and until all clients have upgraded, there will be a mix of the new and the old encryption schemes in use. Given the closed nature of their system, it looks like Apple will be first to commit fully to post-quantum algorithms, with a commitment to complete the transition \u2018by the end of 2024\u2019. It seems reasonable to expect an \u2018upgrade of get cut off\u2019 warning and a final end date for support of the current system this autumn.<\/p>\n<p>PQ3 support will start with the release of iOS 17.4, iPadOS 17.4, macOS 14.4 &amp; watchOS 10.4 any day now.<\/p>\n<h3>Links<\/h3>\n<ul>\n<li>Apple\u2019s blog post announcing the changes: <a href=\"https:\/\/security.apple.com\/blog\/imessage-pq3\/\">iMessage with PQ3: The new state of the art in quantum-secure messaging at scale \u2014 security.apple.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/24\/02\/21\/apple-is-hardening-imessage-encryption-now-to-protect-it-from-a-threat-that-doesnt-exist-yet\">Apple is hardening iMessage encryption now to protect it from a threat that doesn&#8217;t exist yet \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/thehackernews.com\/2024\/02\/apple-unveils-pq3-protocol-post-quantum.html\">Apple Unveils PQ3 Protocol &#8211; Post-Quantum Encryption for iMessage \u2014 thehackernews.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>\u2757 Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li>Linux Desktop users and Android users (those who can anyway) need to update their OSes ASAP to get a fix for part of the WiFi stack (<code>wpa_supplicant<\/code>) that has a bug that allows attackers to trick devices into connecting to rogue access points and leaking the passwords to known WiFi networks \u2014 <a href=\"https:\/\/thehackernews.com\/2024\/02\/new-wi-fi-vulnerabilities-expose.html\">thehackernews.com\/\u2026<\/a> (or apply the cumbersome workaround of manually configuring the CA cert for all work\/school WiFi networks they use)<\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>European Android Users are being successfully targeted with the Anatsa banking trojan via the Google Play Store \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/anatsa-android-malware-downloaded-150-000-times-via-google-play\/\">www.bleepingcomputer.com\/\u2026<\/a> (150K downloads!)\n<ul>\n<li><strong>related:<\/strong> A timely reminder that while the Apple App Store is safer than the Play Store, it&#8217;s not perfect, so you still need to be careful, especially with anything involving cryptocurrencies: <a href=\"https:\/\/www.intego.com\/mac-security-blog\/apple-distributed-fake-crypto-finance-apps-in-app-store-leading-to-100k-losses\/\">Apple distributed fake crypto finance apps in App Store, leading to $100K losses \u2014 www.intego.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Another major security gaff by Wyze: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/wyze-camera-glitch-gave-13-000-users-a-peek-into-other-homes\/\">Wyze camera glitch gave 13,000 users a peek into other homes \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/20-million-cutoutpro-user-records-leaked-on-data-breach-forum\/\">20 million Cutout.Pro user records leaked on data breach forum \u2014 www.bleepingcomputer.com\/\u2026<\/a> (users have not been notified, and contains passwords, they are salted and hashed, but at least some with the obsolete MD5 hashing algorithm)<\/li>\n<li>Critical vulnerabilities in two heavily used WordPress Plugins:\n<ul>\n<li><a href=\"https:\/\/thehackernews.com\/2024\/02\/wordpress-plugin-alert-critical-sqli.html\">WordPress Plugin Alert &#8211; Critical SQLi Vulnerability Threatens 200K+ Websites \u2014 thehackernews.com\/\u2026<\/a> (Ultimate Member)<\/li>\n<li><a href=\"https:\/\/thehackernews.com\/2024\/02\/wordpress-litespeed-plugin.html\">WordPress LiteSpeed Plugin Vulnerability Puts 5 Million Sites at Risk \u2014 thehackernews.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/anycubic-3d-printers-hacked-worldwide-to-expose-security-flaw\/\">Anycubic 3D printers hacked worldwide to expose security flaw \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/p>\n<\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>Another new way sloppy IT practices in major companies facilitate spam: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/hijacked-subdomains-of-major-brands-used-in-massive-spam-campaign\/\">Hijacked subdomains of major brands used in massive spam campaign \u2014 www.bleepingcomputer.com\/\u2026<\/a> (named <em>SubdoMailing<\/em>)<\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/technology\/signal-rolls-out-usernames-that-let-you-hide-your-phone-number\/\">Signal rolls out usernames that let you hide your phone number \u2014 www.bleepingcomputer.com\/\u2026<\/a> (Beta users only ATM)<\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/bitwardens-new-auto-fill-option-adds-phishing-resistance\/\">Bitwarden\u2019s new auto-fill option adds phishing resistance \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>\n<p>GitHub move to block a common source of data breaches: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/github-enables-push-protection-by-default-to-stop-secrets-leak\/\">GitHub enables push protection by default to stop secrets leak \u2014 www.bleepingcomputer.com\/\u2026<\/a> (Has existed as an opt-in feature for some time, and they have been fine-tuning their algorithm before this global rollout)<\/p>\n<ul>\n<li><strong>Related:<\/strong> Developers need to bear in mind that they are being actively targeted by attackers these days:<\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/malicious-ai-models-on-hugging-face-backdoor-users-machines\/\">Malicious AI models on Hugging Face backdoor users\u2019 machines \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/thehackernews.com\/2024\/02\/lazarus-exploits-typos-to-sneak-pypi.html\">Lazarus Exploits Typos to Sneak PyPI Malware into Dev Systems \u2014 thehackernews.com\/\u2026<\/a> (\ud83c\uddf0\ud83c\uddf5 North Korea state hackers)<\/li>\n<\/ul>\n<\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/ftc-to-ban-avast-from-selling-browsing-data-for-advertising-purposes\/\">FTC to ban Avast from selling browsing data for advertising purposes \u2014 www.bleepingcomputer.com\/\u2026<\/a> (Federal Trade Commission)<\/p>\n<\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/new-executive-order-bans-mass-sale-of-personal-data-to-china-russia\/\">New executive order bans mass sale of personal data to China, Russia \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Just Because it&#8217;s Cool \ud83d\ude0e<\/h2>\n<aside class=\"small-aside\">Stories that are not important, that don&#8217;t require you to do anything, and that you don&#8217;t even have to worry about.<\/aside>\n<ul>\n<li>Not practical attacks, but very cool (or hot \ud83d\ude09) security research:\n<ul>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/voltschemer-attacks-use-wireless-chargers-to-inject-voice-commands-fry-phones\/\">VoltSchemer attacks use wireless chargers to inject voice commands, fry phones \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.cultofmac.com\/847074\/printlistener-fingerprint-security-risk\/\">Just the sound of a touchscreen swipe can give away your fingerprint \u2014 www.cultofmac.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything upbeat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li><strong>From Allison:<\/strong> (via Allister Jenks on Slack) <a href=\"https:\/\/wetdry.world\/@nonfedimemes\/111986379436678293\">Funny conversation on Mastodon using all abandoned Google names \u2014 wetdry.world\/\u2026<\/a><\/li>\n<li><strong>From Bart:<\/strong>\n<ul>\n<li>\ud83c\udfa7 The fascinating history of how we got to a calendar with leap days: <a href=\"https:\/\/overcast.fm\/+0mxg1LJsE\">History Daily: The Leap Year \u2014 overcast.fm\/\u2026<\/a><\/li>\n<li>\ud83c\udfa6 The full video of the BBC Horizon documentary consisting almost entirely of a conversation with Feynman repeatedly excerpted in <a href=\"https:\/\/freakonomics.com\/the-curious-brilliant-vanishing-mr-feynman\/\">the Podcast miniseries on Feynman I recommend recently<\/a>: <a href=\"https:\/\/vimeo.com\/340695809\">Feynman: The Pleasure of Finding Things Out (1981) \u2014 vimeo.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">\ud83c\udfa7<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\u2757<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcca<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83e\uddef<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> \ud83d\ude42<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcb5<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udccc<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa9<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. Another defeat for the NSO group: \ud83c\uddfa\ud83c\uddf8 U.S. Court Orders NSO Group to Hand Over Pegasus Spyware Code to WhatsApp \u2014 thehackernews.com\/\u2026 \ud83c\uddfa\ud83c\uddf8 Microsoft have finally followed through on their promise to the US [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":28385,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[4845,1074,6440,114,3749,50,569,2003],"class_list":["post-30570","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-end-to-end-encryption","tag-imessage","tag-post-quantum","tag-privacy","tag-quantum","tag-security","tag-security-bits","tag-vulnerabilities"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2023\/05\/Security-Bits-Logo_1040x520.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/30570","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=30570"}],"version-history":[{"count":2,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/30570\/revisions"}],"predecessor-version":[{"id":30572,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/30570\/revisions\/30572"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/28385"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=30570"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=30570"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=30570"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}